Date: 2026-05-02
Source: Dark Web Leak Site Monitoring / Ransomware.live
Analyst: Security Arsenal Intel Team
Threat Actor Profile — FULCRUMSEC
- Aliases: None confirmed (appears to be a rebrand or new entrant acting independently).
- Operational Model: RaaS (Ransomware-as-a-Service) affiliate model. Recent postings suggest a high-volume "factory" approach with rapid turnover of victims.
- Ransom Demands: Variable, typically ranging from $500k to $5m USD depending on victim revenue. High pressure tactics via direct email to executives.
- Initial Access Vectors: Exploitation of Public-Facing Applications is the primary vector in this campaign. Specifically targeting unpatched email gateways (Microsoft Exchange, SmarterTools SmarterMail) and cloud/firewall management interfaces (Cisco FMC, Meta React).
- Double Extortion: Standard practice. Data is exfiltrated via FTP/Cloud storage tools prior to encryption. Leak site "Countdown" timers are aggressively set to 3-5 days.
- Dwell Time: Estimated 3-7 days. The speed of exploitation suggests automated vulnerability scanning followed immediately by manual hands-on-keyboard ransomware deployment.
Current Campaign Analysis
Sector Targeting
FULCRUMSEC has aggressively diversified its portfolio in the last 100 postings but maintains a distinct focus on Technology and Healthcare in this specific wave (May 1st postings).
- High-Value Targets: Avnet (Tech), LexisNexis (Data Services), MCO (Financial).
- Critical Infrastructure: Woundtech and Lena Health (Healthcare) suggest a willingness to impact patient care services to force payment.
Geographic Concentration
The campaign is overwhelmingly US-centric (66% of the latest victims). However, a widening net is observed into Mexico (MX), India (IN), Germany (DE), and the Netherlands (NL), indicating global opportunistic scanning rather than targeted geopolitical espionage.
CVE Connection & Initial Access
The recent addition of specific CVEs to the CISA KEV list correlates directly with the victimology, specifically those relying on email services:
- SmarterTools SmarterMail (CVE-2025-52691 / CVE-2026-23760): The high frequency of attacks on US-based business and tech firms suggests this exploit is being used to breach email servers for initial access and credential harvesting.
- Microsoft Exchange (CVE-2023-21529): Despite being older, this deserialization vulnerability remains a potent entry point for unauthenticated actors.
- Cisco FMC (CVE-2026-20131): Targeting security infrastructure itself indicates a sophisticated attempt to disable defenses before deployment.
Detection Engineering
SIGMA Rules
YAML
title: Suspicious Web Server Process Spawning Shell
id: a2b0c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
description: Detects web server processes (IIS, Tomcat, SmarterMail) spawning cmd, powershell, or bash shells, indicative of web shell activity related to CVE-2025-52691 or CVE-2026-20131.
status: experimental
date: 2026/05/02
author: Security Arsenal
references:
- https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\w3wp.exe'
- '\java.exe'
- '\SmarterMail\Service.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Administrative troubleshooting
level: critical
---
title: Microsoft Exchange Deserialization Anomaly
description: Detects suspicious deserialization activity or command execution patterns associated with CVE-2023-21529 on Microsoft Exchange servers.
date: 2026/05/02
status: experimental
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145 or 4663
ObjectType: 'File'
FileName|contains:
- 'AppPool'
- 'Temporary ASP.NET Files'
filter:
SubjectUserName|endswith:
- '$'
condition: selection and not filter
level: high
---
title: Potential Ransomware Activity - Volume Shadow Copy Deletion
description: Detects usage of vssadmin or other tools to delete Volume Shadow Copies, a common step in FULCRUMSEC playbook before encryption.
date: 2026/05/02
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\vssadmin.exe'
- '\wbadmin.exe'
- '\diskshadow.exe'
cmdline:
CommandLine|contains:
- 'delete shadows'
- 'delete backups'
condition: all of selection
level: critical
KQL (Microsoft Sentinel)
Hunts for lateral movement and data staging associated with FULCRUMSEC's manual interaction phases.
KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName has "powershell.exe" or FileName has "cmd.exe")
and ProcessCommandLine has any("New-Object", "DownloadString", "IEX", "Invoke-Expression")
| where InitiatingProcessFileName has_any("w3wp.exe", "services.exe", "svchost.exe")
or InitiatingProcessFileSize < 1000kb // Potential for spoofed parent processes
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| extend AlertContext = pack("Timestamp", Timestamp, "Device", DeviceName, "CommandLine", ProcessCommandLine)
Rapid Response PowerShell Script
Checks for persistence mechanisms and recent VSS manipulation often used by this gang.
PowerShell
# FULCRUMSEC Rapid Response Check
Write-Host "[*] Checking for recent Scheduled Task creation..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | Select-Object TaskName, Date, Author, Action
Write-Host "[*] Checking for Volume Shadow Copy Deletion Events..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12345} -MaxEvents 10 -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Message | Format-List
Write-Host "[*] Enumerating SmarterMail/Exchange IIS Logs for recent 200/500 status codes..." -ForegroundColor Cyan
# Adjust path based on environment
$logPath = "C:\inetpub\logs\LogFiles\W3SVC*\*.log"
if (Test-Path $logPath) {
Get-Content $logPath | Select-String " 500 " | Select-Object -Last 5
} else {
Write-Host "Log path not found on this host."
}
---
Incident Response Priorities
-
T-minus Detection Checklist:
- Inspect SmarterMail and Exchange server logs for authenticated requests from unusual geolocations (check for IN, DE, NL, RU IPs).
- Look for web shell file creation in
\inetpub\wwwroot\orC:\Program Files\SmarterTools\. - Hunt for
powershell.exeprocesses spawned byw3wp.exe(IIS worker process).
-
Critical Exfil Assets:
- Healthcare: Patient records (PHI), insurance claims, imaging data.
- Tech: Source code repositories (Git/SVN), client keys, SSL certificates.
- Business Services: HR databases (SSN/Tax info), financial ledgers.
-
Containment Actions:
- Immediate: Isolate identified Exchange/SmarterMail servers from the network. Reset credentials for all service accounts associated with these servers.
- Urgent: Revoke API keys for cloud storage (Azure Blob, AWS S3) if logs indicate large outbound transfers.
Hardening Recommendations
Immediate (24 Hours)
- Patch Management: Apply updates for SmarterTools SmarterMail (addressing CVE-2025-52691 & CVE-2026-23760) and Microsoft Exchange (CVE-2023-21529) immediately. If patching is not possible, place these servers behind a zero-trust VPN with MFA enforced for all administrative access.
- External Attack Surface: Block internet access to management interfaces (Cisco FMC, SmarterMail admin panels) from untrusted IPs. Utilize allow-listing only.
Short-term (2 Weeks)
- Network Segmentation: Move email and file servers to a dedicated VLAN with strict egress rules (block FTP, RDP, and non-SMTP ports from these servers).
- Implementation of PAM: Enforce Privileged Access Management for all administrator accounts to prevent credential theft via lateral movement tools like Mimikatz.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangfulcrumsecransomwarehealthcaretechnologysmartermailcve-2026-23760
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.